Skip to main content

Google Announces 5 Major Security Updates for Chrome Browser Extensions. Automated Publishing Via Osuta Yusuf Robot Trigger. Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users. Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge. However, the best part is that Google is aware of the issues and has proactively been working to change the way its Chrome web browser handles extensions. Earlier this year, Google banned extensions using cryptocurrency mining scripts and then in June, the company also disabled inline installation of Chrome extensions completely. The company has also been using machine learning technologies to detect and block malicious extensions. To take a step further, Google announced Monday five major changes that give users more control over certain permissions, enforces security measures, as well as makes the ecosystem more transparent. Here are the new changes Google has included in Chrome 70, which is scheduled to arrive later this month, to make extensions more secure: 1) New Host Permissions for Chrome Extensions Until now, if an extension asks for permission to read, write, and change data on all websites, there is no option available using which users can explicitly blacklist or white list a specific set of websites. "While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse—both malicious and unintentional—because they allow extensions to automatically read and change data on websites," says James Wagner, Chrome extensions product manager. However, starting from Chrome 70 (currently in-beta), users will be able to control when and how Chrome extensions can access site data, allowing them to restrict access for all sites and then grant temporary access  to a specific website when required, or enable permissions for a specific set of websites or all sites. As shown in the screenshot above, right-clicking on-an extension on Chrome 70 reveals a new menu that lets users determine if it "can read and change site data." If so, you have an option to choose between "When you click the extension," "on the current website" or "On all sites." Chrome extension Developers are advised to make these changes to their extension as soon as possible. 2.) Google Bans Code Obfuscation for Chrome Extensions It's no secret that even after all security measures on a place, malicious Chrome extensions find their ways to get into the Chrome Web Store. The reason being obfuscation—a technique primarily aimed at protecting the intellectual property of software developers by making programs harder to understand, detect or analyze. However, malware authors often use packing or obfuscation techniques to make it difficult for Google's automated scanners to review extension and detect or analyze the malicious code. According to Google, more than 70% of "malicious and policy violating extensions" that it blocks contain obfuscated code. However, with Chrome 70, the Chrome Web Store will no longer allow extensions with obfuscated code. Google also argues that code obfuscation is insufficient to protect developers code from a genuinely motivated reverse engineer, because JavaScript code is always running locally on a user's machine. Also, easily accessible code speeds up the performance. New extension submissions to the Chrome Web Store have to be free of obfuscated code starting immediately, and developers have 90 days to clean their Chrome extensions of obfuscated code, whether it is in the extension package or fetched from the web. 3) Mandatory 2-Step Verification for Developers Last year, we saw a new wave of phishing attacks aimed at hijacking popular browser extensions through phishing, and then updating them with malicious code and distribute to their tens of millions of users. Well, Two-Step Verification can prevent that from happening. Starting with January, Google will require developers to enable two-step verification on their Chrome Web Store accounts to lower the risk of Hackers taking over their Extensions. "If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key," Wagner says. 4) New Extensions Review Process… and It’s Strict! With Chrome 70, Google will also start performing a more in-depth review of extensions that ask for "powerful permissions." Besides-this, the company will also start closely monitoring extensions with a remotely hosted code to spot malicious changes quickly. 5) New Manifest Version 3 For Chrome Extensions Google also plans to introduce a new version of the extensions platform manifest, version 3, which aims at enabling "stronger security, privacy and performance guarantees." Google will introduce Manifest version 3 in 2019, which will narrow the scope of its APIs, make permission control mechanisms easier for users, and support new web capabilities such as the Service Workers as a new background process. With more than 180,000 extensions in the Chrome Web Store, Google believes these new changes would make browsing the Web more secure for millions of users.

Automated Publishing Via Osuta Yusuf Robot Trigger.

Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users.

Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge.

However, the best part is that Google is aware of the issues and has proactively been working to change the way its Chrome web browser handles extensions.

Earlier this year, Google banned extensions using cryptocurrency mining scripts and then in June, the company also disabled inline installation of Chrome extensions completely. The company has also been using machine learning technologies to detect and block malicious extensions.

To take a step further, Google announced Monday five major changes that give users more control over certain permissions, enforces security measures, as well as makes the ecosystem more transparent.

Here are the new changes Google has included in Chrome 70, which is scheduled to arrive later this month, to make extensions more secure:

1) New Host Permissions for Chrome Extensions

Until now, if an extension asks for permission to read, write, and change data on all websites, there is no option available using which users can explicitly blacklist or white list a specific set of websites.

"While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse—both malicious and unintentional—because they allow extensions to automatically read and change data on websites," says James Wagner, Chrome extensions product manager.

However, starting from Chrome 70 (currently in-beta), users will be able to control when and how Chrome extensions can access site data, allowing them to restrict access for all sites and then grant temporary access  to a specific website when required, or enable permissions for a specific set of websites or all sites.

As shown in the screenshot above, right-clicking on-an extension on Chrome 70 reveals a new menu that lets users determine if it "can read and change site data." If so, you have an option to choose between "When you click the extension," "on the current website" or "On all sites."

Chrome extension Developers are advised to make these changes to their extension as soon as possible.

2.) Google Bans Code Obfuscation for Chrome Extensions

It's no secret that even after all security measures on a place, malicious Chrome extensions find their ways to get into the Chrome Web Store.

The reason being obfuscation—a technique primarily aimed at protecting the intellectual property of software developers by making programs harder to understand, detect or analyze.

However, malware authors often use packing or obfuscation techniques to make it difficult for Google's automated scanners to review extension and detect or analyze the malicious code.

According to Google, more than 70% of "malicious and policy violating extensions" that it blocks contain obfuscated code. However, with Chrome 70, the Chrome Web Store will no longer allow extensions with obfuscated code.

Google also argues that code obfuscation is insufficient to protect developers code from a genuinely motivated reverse engineer, because JavaScript code is always running locally on a user's machine. Also, easily accessible code speeds up the performance.

New extension submissions to the Chrome Web Store have to be free of obfuscated code starting immediately, and developers have 90 days to clean their Chrome extensions of obfuscated code, whether it is in the extension package or fetched from the web.

3) Mandatory 2-Step Verification for Developers

Last year, we saw a new wave of phishing attacks aimed at hijacking popular browser extensions through phishing, and then updating them with malicious code and distribute to their tens of millions of users.

Well, Two-Step Verification can prevent that from happening. Starting with January, Google will require developers to enable two-step verification on their Chrome Web Store accounts to lower the risk of Hackers taking over their Extensions.

"If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key," Wagner says.

4) New Extensions Review Process… and It’s Strict!

With Chrome 70, Google will also start performing a more in-depth review of extensions that ask for "powerful permissions."

Besides-this, the company will also start closely monitoring extensions with a remotely hosted code to spot malicious changes quickly.

5) New Manifest Version 3 For Chrome Extensions

Google also plans to introduce a new version of the extensions platform manifest, version 3, which aims at enabling "stronger security, privacy and performance guarantees."

Google will introduce Manifest version 3 in 2019, which will narrow the scope of its APIs, make permission control mechanisms easier for users, and support new web capabilities such as the Service Workers as a new background process.

With more than 180,000 extensions in the Chrome Web Store, Google believes these new changes would make browsing the Web more secure for millions of users.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.